confusion regarding authentication

In HFSJ(2nd ed.) in page 688 it says 'when you are using declarative authentication , the client never makes any direct request for the login' - and there is explain that way you can ensure that login information can always be made sure to be transported through SSL.

But what about the web applications where user generally have to login even before actually start using the application.
How to ensure that the first request containing login information will be protected as the user will put the information in the very first screen which might be ...xxxx/login.jsp

How to ensure that the first request containing login information will be protected as the user will put the information in the very first screen which might be ...xxxx/login.jsp

That's what they mean by 'when you are using declarative authentication , the client never makes any direct request for the login'. If the client access a protected resource, he will be asked to login. So if you protect all resources, the client will have to login at least once before accessing any page.

How to ensure that the first request containing login information will be protected as the user will put the information in the very first screen which might be ...xxxx/login.jsp

That's what they mean by 'when you are using declarative authentication , the client never makes any direct request for the login'. If the client access a protected resource, he will be asked to login. So if you protect all resources, the client will have to login at least once before accessing any page.

Thanks for reply, but I wish to know what happens in the web applications (jsp-servlet tech) we come across everyday where we have to log-in first , more precisely the first page itself is a login jsp . Instead of declarative authentication what is used there?